Cisco Cisco Web Security Appliance S670 User Guide
20-5
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 20 Authentication
Understanding How Authentication Works
When users access the web through a Web Security appliance that requires authentication, the Web
Proxy asks the client for authentication credentials. The Web Proxy communicates with both the client
and the authentication server to authenticate the user and process the request.
Proxy asks the client for authentication credentials. The Web Proxy communicates with both the client
and the authentication server to authenticate the user and process the request.
shows how the Web Security appliance communicates with clients and authentication
servers.
Figure 20-1
Web Security Appliance Authentication
The Web Security appliance supports the following authentication protocols:
•
Lightweight Directory Access Protocol (LDAP). The Web Proxy uses the LDAP Bind operation
to query an LDAP-compatible authentication server. The appliance supports standard LDAP server
authentication and secure LDAP authentication.
to query an LDAP-compatible authentication server. The appliance supports standard LDAP server
authentication and secure LDAP authentication.
For more information about LDAP configuration options, see
.
•
NT LAN Manager (NTLM). The Web Proxy uses NTLM, a Microsoft proprietary protocol, to
authenticate users which exist in Microsoft Active Directory. The NTLM protocol uses a
challenge-response sequence of messages between the client and the Active Directory server. You
can use either NTLMSSP or Basic authentication schemes on client side.
authenticate users which exist in Microsoft Active Directory. The NTLM protocol uses a
challenge-response sequence of messages between the client and the Active Directory server. You
can use either NTLMSSP or Basic authentication schemes on client side.
For more information about NTLM configuration options, see
In addition to the preceding protocols, the Web Security appliance supports the following client side
authentication schemes:
authentication schemes:
•
Basic. Allows a client application to provide authentication credentials in the form of a user name
and password when it makes a request. You can use the Basic authentication scheme with either an
LDAP or Active Directory server.
and password when it makes a request. You can use the Basic authentication scheme with either an
LDAP or Active Directory server.
•
NTLMSSP. Allows the client application to provide authentication credentials in the form of a
challenge and response. It uses a binary message format to authenticate clients that use the NTLM
protocol to access network resources. You can use the NTLMSSP authentication scheme only with
an Active Directory server. When the Web Proxy uses NTLMSSP, most client applications can use
the Windows login credentials for authentication and users do not need to enter their credentials
again. This is called “single sign-on.”
challenge and response. It uses a binary message format to authenticate clients that use the NTLM
protocol to access network resources. You can use the NTLMSSP authentication scheme only with
an Active Directory server. When the Web Proxy uses NTLMSSP, most client applications can use
the Windows login credentials for authentication and users do not need to enter their credentials
again. This is called “single sign-on.”
For more information, see
.
Client
Authentication
Server
Web Security Appliance
Basic or NTLMSSP
LDAP or NTLM